SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Oracle Java SE Vendors:   Oracle, Sun
(CentOS Issues Fix) Oracle Java SE Bugs Let Remote Usrs Access and Modify Data, Deny Service, and Gain Elevated Privileges
SecurityTracker Alert ID:  1037665
SecurityTracker URL:  http://securitytracker.com/id/1037665
CVE Reference:   CVE-2016-5546, CVE-2016-5547, CVE-2016-5548, CVE-2016-5552, CVE-2017-3231, CVE-2017-3241, CVE-2017-3252, CVE-2017-3253, CVE-2017-3261, CVE-2017-3272, CVE-2017-3289   (Links to External Site)
Date:  Jan 22 2017
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6u131, 7u121, 8u112
Description:   Multiple vulnerabilities were reported in Oracle Java SE. A remote user can access data on the target system. A remote user can modify data on the target system. A remote user can cause denial of service conditions on the target system. A remote user can gain elevated privileges.

A remote user can exploit a flaw in the Hotspot component to gain elevated privileges [CVE-2017-3289].

A remote user can exploit a flaw in the Libraries component to gain elevated privileges [CVE-2017-3272].

A remote user can exploit a flaw in the RMI component to gain elevated privileges [CVE-2017-3241].

A remote user can exploit a flaw in the AWT component to gain elevated privileges [CVE-2017-3260].

A remote user can exploit a flaw in the 2D component to cause denial of service conditions [CVE-2017-3253].

A remote user can exploit a flaw in the Libraries component to modify data [CVE-2016-5546].

A remote user can exploit a flaw in the Libraries component to access data [CVE-2016-5548, CVE-2016-5549].

A remote authenticated user can exploit a flaw in the JAAS component to modify data [CVE-2017-3252].

A remote user can exploit a flaw in the Java Mission Control component to partially access data [CVE-2017-3262].

A remote user can exploit a flaw in the Libraries component to cause partial denial of service conditions [CVE-2016-5547].

A remote user can exploit a flaw in the Networking component to partially modify data [CVE-2016-5552].

A remote user can exploit a flaw in the Networking component to partially access data [CVE-2017-3231, CVE-2017-3261].

A remote user can exploit a flaw in the Deployment component to partially access data [CVE-2017-3259].

A remote user can exploit a flaw in the Java Mission Control component to partially modify data [CVE-2016-8328].

The following researchers reported these and other Oracle product vulnerabilities:

Aleksandar Nikolic of Cisco Talos; Alexander Mirosh of Hewlett Packard Enterprise; Alvaro Munoz of Hewlett Packard Enterprise; Andrew Fowler of Lithium; Behzad Najjarpour Jabbari, Secunia Research at Flexera Software; Blessen Thomas of EY Global Delivery Services; Brian Martin of Tenable Network Security;
Daniel Bleichenbacher of Google; Daniel Fahlgren; David Litchfield formerly of Google; Dawid Golunski of Legal Hackers; Deniz Cevik of Biznet Bilisim A.S.; Dmitry Yudin of ERPScan; Emiliano J. Fausto of Onapsis; Gaston Traberg of Onapsis; Jacob Baines - Tenable Network Security (via Trend Micro's Zero Day Initiative); John Page (hyp3rlinx); Kristian Hermansen at undisclosed; Li Qiang of the Qihoo 360 Gear Team;
ma.la of LINE Corporation; Mala; Maris Elsins of Google; Matias Mevied of Onapsis; Moritz Bechler; Nicholas Lemonias of Advanced Information Security Corporation; Owais Mehtab of IS; Per Lindberg; Red Hat Product Security; Roman Shalymov of ERPScan; Shannon Hickey of Adobe; Tayeeb Rana of IS; Ubais PK of EY Global Delivery Services; Wladislaw Mitzel; Wolfgang Hotwagner; Xiejingwei Fei of FINRA;
XOR19 of Trend Micro's Zero Day Initiative; and Zuozhi Fan formerly of Alibaba.

Impact:   A remote user can obtain data on the target system.

A remote user can modify data on the target system.

A remote user can cause denial of service conditions.

A remote user can gain elevated privileges on the target system.

Solution:   CentOS has issued a fix for CVE-2016-5546, CVE-2016-5547, CVE-2016-5548, CVE-2016-5552, CVE-2017-3231, CVE-2017-3241, CVE-2017-3252, CVE-2017-3253, CVE-2017-3261, CVE-2017-3272, and CVE-2017-3289 for java-1.8.0-openjdk.

i386:
e04f0af0db6bf5966115be1c780071d3c25c5bbb91b2293d561a6fa15d1631aa java-1.8.0-openjdk-1.8.0.121-0.b13.el6_8.i686.rpm
864d94e6e625bc5a1c1917d7daadb5cb18d23edbd83a959e81f3e933a96127cc java-1.8.0-openjdk-debug-1.8.0.121-0.b13.el6_8.i686.rpm
14a0f1360afffd36590ddafbc3c85c2070ab29441431a35f424d533d4689e42f java-1.8.0-openjdk-demo-1.8.0.121-0.b13.el6_8.i686.rpm
0b27c5e7c38290daf4b10a3afd8088c2b98d32018dafdbe11fb85cb401ac99a1 java-1.8.0-openjdk-demo-debug-1.8.0.121-0.b13.el6_8.i686.rpm
d7ec3be372b0b762035137aa79932ff4adba3113d15ddfc1728469c362d7bea6 java-1.8.0-openjdk-devel-1.8.0.121-0.b13.el6_8.i686.rpm
e93b86d265215f0f7eed95889f479881b26436934ea1dcf7bfbb896c37e1579c java-1.8.0-openjdk-devel-debug-1.8.0.121-0.b13.el6_8.i686.rpm
e7ec1b932abf317c54744e4053209ab525d129db5c4a55cf5aef2afaf894da3e java-1.8.0-openjdk-headless-1.8.0.121-0.b13.el6_8.i686.rpm
ac9e8aeec13ad539b2ce43dda728936102a6dcf3337ec002d5fec1b22cba32b8 java-1.8.0-openjdk-headless-debug-1.8.0.121-0.b13.el6_8.i686.rpm
ea03e4503f1d19fc9e07e4cf72abfe77cdca5a9fbf480f7361dbb474f750b724 java-1.8.0-openjdk-javadoc-1.8.0.121-0.b13.el6_8.noarch.rpm
d27d67a2828310000afcda45aece8be486a4d07a24917618e2bbb1fd383b31c2 java-1.8.0-openjdk-javadoc-debug-1.8.0.121-0.b13.el6_8.noarch.rpm
156ed32eaf641980040ea33925b5325d89c9eea3d67bfb27835d66aaae5d1c8a java-1.8.0-openjdk-src-1.8.0.121-0.b13.el6_8.i686.rpm
72056b3acfc35e1512d431d170bf0bfb3ec41e014d63a37d44a947a3dd566e63 java-1.8.0-openjdk-src-debug-1.8.0.121-0.b13.el6_8.i686.rpm

x86_64:
882720170cdd2b723de69104217ba3bfb6f9a88c1f42b4ab1f71d540974d7aca java-1.8.0-openjdk-1.8.0.121-0.b13.el6_8.x86_64.rpm
226b4196d0aeb6e69c68b79a25c761ff6a68002b8461d67eda8396c945fe7380 java-1.8.0-openjdk-debug-1.8.0.121-0.b13.el6_8.x86_64.rpm
25de4d1e1d3154aa6c96d23d2fe3e8c6b422ebd45e1d8d83f150f63b2b82bb2d java-1.8.0-openjdk-demo-1.8.0.121-0.b13.el6_8.x86_64.rpm
46839bfcaadc731258cf7f0434f0f9f4e3bc3ac869a60196b78f36dbfdd12602 java-1.8.0-openjdk-demo-debug-1.8.0.121-0.b13.el6_8.x86_64.rpm
d99419b905892f7a4682cb6727a41b9c4c4a033efa9e78216f6c134b6633ee3b java-1.8.0-openjdk-devel-1.8.0.121-0.b13.el6_8.x86_64.rpm
02f44a59db465a34b851188016ed34f4e7086b5626728e7b3937cb0ad802ba4f java-1.8.0-openjdk-devel-debug-1.8.0.121-0.b13.el6_8.x86_64.rpm
db7da24a1dd722fdcb576491fae25fe01c4ac85e19ffb039b0cd7aade82897de java-1.8.0-openjdk-headless-1.8.0.121-0.b13.el6_8.x86_64.rpm
4efccbc0830a05709ffa58a8d7124a52ef58e5c6ed57747fe5c63a0088ffdc4c java-1.8.0-openjdk-headless-debug-1.8.0.121-0.b13.el6_8.x86_64.rpm
ea03e4503f1d19fc9e07e4cf72abfe77cdca5a9fbf480f7361dbb474f750b724 java-1.8.0-openjdk-javadoc-1.8.0.121-0.b13.el6_8.noarch.rpm
d27d67a2828310000afcda45aece8be486a4d07a24917618e2bbb1fd383b31c2 java-1.8.0-openjdk-javadoc-debug-1.8.0.121-0.b13.el6_8.noarch.rpm
50f40ffa84e6f61c9e8de385618530246b14db4080b20efb43ae38aa3e52ac39 java-1.8.0-openjdk-src-1.8.0.121-0.b13.el6_8.x86_64.rpm
b20148d489829fd3236174b32d6057a1d6b3a77cfaccd261825c68ca1952e73e java-1.8.0-openjdk-src-debug-1.8.0.121-0.b13.el6_8.x86_64.rpm

Source:
893dd0e503edfbf2bbf0018a0c019bf55d9259a8aef8f3a768832870f7678673 java-1.8.0-openjdk-1.8.0.121-0.b13.el6_8.src.rpm

x86_64:
b002bc39803820082dabc431b991958f9397bc317248e981f77530cf8428c717 java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.i686.rpm
460180c36d7248c993ed1c7efd333fe7c9819dc9be1b12208ddd3071c140a55a java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64.rpm
e248153a1904ea792d4815c47960c5a73e59abc1c4cf5cec464bd453bc7762e6 java-1.8.0-openjdk-accessibility-1.8.0.121-0.b13.el7_3.x86_64.rpm
5d2c4f7cb529dcd1763a9ae648d447edbc5f07a01c54423a69cb0d140de0c6a6 java-1.8.0-openjdk-accessibility-debug-1.8.0.121-0.b13.el7_3.x86_64.rpm
ecba68f71f2cbcb197c41220b648694e847a0437d2b24499a65107dadcdb3510 java-1.8.0-openjdk-debug-1.8.0.121-0.b13.el7_3.i686.rpm
a87f43a746f505fc2827afa5ace424006850d07dc2647b79b534281898a5718f java-1.8.0-openjdk-debug-1.8.0.121-0.b13.el7_3.x86_64.rpm
39833c95afbc018e7a91c9a2476cb5055ca32fc2fcc6b60d79408e34b81f8ca1 java-1.8.0-openjdk-demo-1.8.0.121-0.b13.el7_3.x86_64.rpm
ca5a4add5dbd60bac513d89e7e915660d31d1b8c4ce7f273990a1f45f387a931 java-1.8.0-openjdk-demo-debug-1.8.0.121-0.b13.el7_3.x86_64.rpm
a0c638d96cbbcb3acea1b71f51adc571ff6a09c7c0c8d9cb519e654fce15cd07 java-1.8.0-openjdk-devel-1.8.0.121-0.b13.el7_3.i686.rpm
9e1bb8b701666ff38b321f8b7a152df363bf4f6ea0276f98bd540d151a901278 java-1.8.0-openjdk-devel-1.8.0.121-0.b13.el7_3.x86_64.rpm
b9122db5db773a07675bfd042aff7b248ec7f4cdc905b78ce43b2d8fde466b31 java-1.8.0-openjdk-devel-debug-1.8.0.121-0.b13.el7_3.i686.rpm
4acc1c716632d0dc135a0ca0ed2d8de29e5813d62c9ef579bd2783191f254850 java-1.8.0-openjdk-devel-debug-1.8.0.121-0.b13.el7_3.x86_64.rpm
8f92a775f9a1056256baf5b132cbf4a61d12e3db79ae4b33dd7c6da80cd0e82f java-1.8.0-openjdk-headless-1.8.0.121-0.b13.el7_3.i686.rpm
820b3b25e699f6dc0768fee7f8362ea5bf3770046dfdbdfc2d1e7bd6d56946f8 java-1.8.0-openjdk-headless-1.8.0.121-0.b13.el7_3.x86_64.rpm
e2e99c6977af60e940b6b6e74a35d744742a2a85cf9a2779c5f141375be2393d java-1.8.0-openjdk-headless-debug-1.8.0.121-0.b13.el7_3.i686.rpm
e47d2e31358e70ebc3b83f8f32b986df3c293b465ba46da4c91f05a7c1c8e8cf java-1.8.0-openjdk-headless-debug-1.8.0.121-0.b13.el7_3.x86_64.rpm
77c3b0a2194e7239009c8f68f136e7eeeb2ce4ed287a6d9c52ff01dfc3655718 java-1.8.0-openjdk-javadoc-1.8.0.121-0.b13.el7_3.noarch.rpm
f0b418e75b930fb391bbb05021d638e1569d83b85603c49267708adcef8777ed java-1.8.0-openjdk-javadoc-debug-1.8.0.121-0.b13.el7_3.noarch.rpm
d06e1bfe81fd73e1c143a5bc22d5ad881794acc186408ba142fefdc3128a151d java-1.8.0-openjdk-javadoc-zip-1.8.0.121-0.b13.el7_3.noarch.rpm
c68200d318c1b4c803e2b4822ba74963d955c737397e259f2c32c87127048b45 java-1.8.0-openjdk-javadoc-zip-debug-1.8.0.121-0.b13.el7_3.noarch.rpm
2d57cd90202ef0aa603585c9f5e2e9cba72e1c07aa324de697cc307dd4f17121 java-1.8.0-openjdk-src-1.8.0.121-0.b13.el7_3.x86_64.rpm
e99b31852e84ff9e81784d68a53204b4f6168f0fde26f209c0eb56c41755e6ae java-1.8.0-openjdk-src-debug-1.8.0.121-0.b13.el7_3.x86_64.rpm

Source:
6df0ee7bf1488263efafcc84765297e4b970ad8f1ca5291ae90f2d43536ec7f3 java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.src.rpm

Cause:   Not specified
Underlying OS:  Linux (CentOS)
Underlying OS Comments:  6, 7

Message History:   This archive entry is a follow-up to the message listed below.
Jan 19 2017 Oracle Java SE Bugs Let Remote Usrs Access and Modify Data, Deny Service, and Gain Elevated Privileges



 Source Message Contents

Subject:  [CentOS-announce] CESA-2017:0180 Critical CentOS 7 java-1.8.0-openjdk Security Update


CentOS Errata and Security Advisory 2017:0180 Critical

Upstream details at : https://rhn.redhat.com/errata/RHSA-2017-0180.html

The following updated files have been uploaded and are currently 
syncing to the mirrors: ( sha256sum Filename ) 

x86_64:
b002bc39803820082dabc431b991958f9397bc317248e981f77530cf8428c717  java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.i686.rpm
460180c36d7248c993ed1c7efd333fe7c9819dc9be1b12208ddd3071c140a55a  java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64.rpm
e248153a1904ea792d4815c47960c5a73e59abc1c4cf5cec464bd453bc7762e6  java-1.8.0-openjdk-accessibility-1.8.0.121-0.b13.el7_3.x86_64.rpm
5d2c4f7cb529dcd1763a9ae648d447edbc5f07a01c54423a69cb0d140de0c6a6  java-1.8.0-openjdk-accessibility-debug-1.8.0.121-0.b13.el7_3.x86_64.rpm
ecba68f71f2cbcb197c41220b648694e847a0437d2b24499a65107dadcdb3510  java-1.8.0-openjdk-debug-1.8.0.121-0.b13.el7_3.i686.rpm
a87f43a746f505fc2827afa5ace424006850d07dc2647b79b534281898a5718f  java-1.8.0-openjdk-debug-1.8.0.121-0.b13.el7_3.x86_64.rpm
39833c95afbc018e7a91c9a2476cb5055ca32fc2fcc6b60d79408e34b81f8ca1  java-1.8.0-openjdk-demo-1.8.0.121-0.b13.el7_3.x86_64.rpm
ca5a4add5dbd60bac513d89e7e915660d31d1b8c4ce7f273990a1f45f387a931  java-1.8.0-openjdk-demo-debug-1.8.0.121-0.b13.el7_3.x86_64.rpm
a0c638d96cbbcb3acea1b71f51adc571ff6a09c7c0c8d9cb519e654fce15cd07  java-1.8.0-openjdk-devel-1.8.0.121-0.b13.el7_3.i686.rpm
9e1bb8b701666ff38b321f8b7a152df363bf4f6ea0276f98bd540d151a901278  java-1.8.0-openjdk-devel-1.8.0.121-0.b13.el7_3.x86_64.rpm
b9122db5db773a07675bfd042aff7b248ec7f4cdc905b78ce43b2d8fde466b31  java-1.8.0-openjdk-devel-debug-1.8.0.121-0.b13.el7_3.i686.rpm
4acc1c716632d0dc135a0ca0ed2d8de29e5813d62c9ef579bd2783191f254850  java-1.8.0-openjdk-devel-debug-1.8.0.121-0.b13.el7_3.x86_64.rpm
8f92a775f9a1056256baf5b132cbf4a61d12e3db79ae4b33dd7c6da80cd0e82f  java-1.8.0-openjdk-headless-1.8.0.121-0.b13.el7_3.i686.rpm
820b3b25e699f6dc0768fee7f8362ea5bf3770046dfdbdfc2d1e7bd6d56946f8  java-1.8.0-openjdk-headless-1.8.0.121-0.b13.el7_3.x86_64.rpm
e2e99c6977af60e940b6b6e74a35d744742a2a85cf9a2779c5f141375be2393d  java-1.8.0-openjdk-headless-debug-1.8.0.121-0.b13.el7_3.i686.rpm
e47d2e31358e70ebc3b83f8f32b986df3c293b465ba46da4c91f05a7c1c8e8cf  java-1.8.0-openjdk-headless-debug-1.8.0.121-0.b13.el7_3.x86_64.rpm
77c3b0a2194e7239009c8f68f136e7eeeb2ce4ed287a6d9c52ff01dfc3655718  java-1.8.0-openjdk-javadoc-1.8.0.121-0.b13.el7_3.noarch.rpm
f0b418e75b930fb391bbb05021d638e1569d83b85603c49267708adcef8777ed  java-1.8.0-openjdk-javadoc-debug-1.8.0.121-0.b13.el7_3.noarch.rpm
d06e1bfe81fd73e1c143a5bc22d5ad881794acc186408ba142fefdc3128a151d  java-1.8.0-openjdk-javadoc-zip-1.8.0.121-0.b13.el7_3.noarch.rpm
c68200d318c1b4c803e2b4822ba74963d955c737397e259f2c32c87127048b45  java-1.8.0-openjdk-javadoc-zip-debug-1.8.0.121-0.b13.el7_3.noarch.rpm
2d57cd90202ef0aa603585c9f5e2e9cba72e1c07aa324de697cc307dd4f17121  java-1.8.0-openjdk-src-1.8.0.121-0.b13.el7_3.x86_64.rpm
e99b31852e84ff9e81784d68a53204b4f6168f0fde26f209c0eb56c41755e6ae  java-1.8.0-openjdk-src-debug-1.8.0.121-0.b13.el7_3.x86_64.rpm

Source:
6df0ee7bf1488263efafcc84765297e4b970ad8f1ca5291ae90f2d43536ec7f3  java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.src.rpm



-- 
Johnny Hughes
CentOS Project { http://www.centos.org/ }
irc: hughesjr, #centos@irc.freenode.net
Twitter: @JohnnyCentOS

_______________________________________________
CentOS-announce mailing list
CentOS-announce@centos.org
https://lists.centos.org/mailman/listinfo/centos-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC